TL; DR :有人可以在验证过程中找到Saml2SecurityTokenHandler支持哪些签名算法的权限吗?
我正在使用Saml2SecurityTokenHandler验证来自我的IdP的SAML断言。
作为参考,我使用的是一个用 SHA256 签名的样本断言here
<Assertion ID="_de9f29bd-52ca-4237-95c1-eb53f70fe8e5" IssueInstant="2012-11-06T00:45:30.593Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>ADatum</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_de9f29bd-52ca-4237-95c1-eb53f70fe8e5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>+6OWUn1dFIUJQ6FQ25zgmZvg8zPzfcjnj4ujUvgfmEQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O85ytS9fcAhOk/0K25SndyBUbNLrx6J+tv+Uht+HZZ4CzsqjVBU1FpkXjDG03HqZ7xEu3+rMnsyxefDq6Xftw1E926QsG/oPM/afWfbR5dLucjsVaNzXCXzZu+jBmp5KkAv/vv1Es67KnPMr/RDeCVFy9eyxJka6dd8h8RTlatg=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICGjCCAYOgAwIBAgIQeJe5qR+4T6VJNZYtWjhErzANBgkqhkiG9w0BAQQFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTExMDEwMDcwMDAwWhcNNDExMjMxMDcwMDAwWjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKjtrnJ+bduREosQ9+SH1ocI13wlxStLi8y5heGPo5UBcuf0hYRq4PvjwEY2twebP6iwxjwGqhu224UDUfPWMhQBOh+NFnv9GHAh+W4jFJxvTCcyXTkZRFqgAYRjMvyxzNeHVqn4AJ/ddKGf1fMVCuKhPYteHy2yNacXujucPP6/AgMBAAGjVTBTMFEGA1UdAQRKMEiAEFD3/7uhGcI2nSHZqB0bN66hIjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGWCEHiXuakfuE+lSTWWLVo4RK8wDQYJKoZIhvcNAQEEBQADgYEAkgxktVU5e8TVoigsDRm4qyw6gM/kie3e6dFM0T1BFoQV0PW9W9yKPiP72eTi+331tLFnwDxz5RJLABctAO71plwtREd0k3E0Jsju+Web+u8YcCD43aViQXgXRrY5ghDGwpFRcaNa1PnYY5nk3DYfyZZdz1L+fb30VDiugdf7dBI=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>ADatum</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2012-11-06T00:45:31.905Z" NotOnOrAfter="9999-12-31T23:59:59.999Z">
<AudienceRestriction>
<Audience>https://accesscontrol.adatum.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/spf/2012/03/claims/tenantname">
<AttributeValue>Fabrikam</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>SSU</AttributeValue>
</Attribute>
</AttributeStatement>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>accesscontrol@adaum.com</AttributeValue>
</Attribute>
</AttributeStatement>
我有以下代码尝试验证此签名
//All that matters now is to validate the token and get the claims
var validationParameters = new TokenValidationParameters();
validationParameters.ValidIssuer = options.Issuer;
validationParameters.ValidAudience = options.Audience;
validationParameters.IssuerSigningToken = new X509SecurityToken(options.SigningCertificate);
validationParameters.ValidateLifetime = validateLifetime;
validationParameters.TokenReplayCache = options.ReplayRepository;
EnsureCanonicalForm(response, assertion);
SecurityTokenHandlerCollection coll = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
SecurityToken tokenOut;
var retVal = coll.ValidateToken(assertion.OuterXml, validationParameters, out tokenOut);
options.SigningCertificate是您可以在MII...开头的XML中看到的证书。 assertion.OuterXml是上述XML的全部内容。
我希望SAML2SecurityTokenHandler能够处理 SHA256 ,但此代码在ValidateToken()上失败并显示错误
签名验证失败。
我知道代码适用于SHA1,使用相同的代码和不同的断言样本。
我无法在the handler或the token itself的文档中找到任何关于签名算法的提及,但至少one of the specs用于XML签名散列会调用SHA256。
任何人都可以找到这个类支持哪种签名算法的权威来源?
答案 0 :(得分:1)
验证签名时,Saml2SecurityTokenHandler无法正确处理空格。在大多数情况下,它并不重要,因为断言很少印刷。但是这个是。所以我想这就是问题所在。
对于我创建的SAML库,我们完全跳过处理程序中的签名验证,而是基于SignedXml执行我们自己的,这更可靠(尽管您需要记住自己检查引用)。